Now a doctoral student at the University of Washington, Saponas was the lead author of an online report released Thursday that raises privacy concerns about the Nike+iPod Sport Kit, a device from Nike and Apple that acts as a pedometer for runners.

Saponas and his fellow researchers say it also can be used as a tracking device for nefarious purposes -- such as keeping tabs on a girlfriend, stalking someone or planning a burglary.

Saponas, 25, said the researchers' point was not to bash this particular product but to emphasize that "as more and more of these gadgets come out, they need to be evaluated as to whether privacy has been considered in their design."

The $29 device consists of a dinner mint-sized sensor that fits into a special Nike+ running shoe and a receiver that attaches to an iPod Nano. The sensor detects a runner's movement and transmits workout information -- such as speed, distance and calories burned -- to the receiver.

Saponas, a runner, bought the device on the first day it went on sale in August. This fall, he needed to come up with a project for his computer security course. He thought that the way the device communicated information "might do it in a way that erodes my privacy."

The sensor transmits information with a unique signature that can be detected within a range of up to 60 feet by any Nike+iPod receiver.

Saponas worked with fellow UW graduate students Jonathan Lester and Carl Hartung, along with Yoshi Kohno, assistant professor of computer science and engineering, to build a variety of relatively inexpensive -- less than $250 -- surveillance devices to detect and track the sensors.

In one case, they linked the receiver to miniature "gumstix" computers, which could be hidden in bushes near a running trail or under a desk.

Anyone passing by with a sensor in his or her shoe -- or a sensor planted in, say, a pocket or backpack -- could be tracked.

The researchers outlined a scenario in which "Marvin," a troubled ex-boyfriend, places detectors at remote locations so he could know when "Alice," who is carrying a sensor, enters or departs a particular place.

"At a minimum, Marvin could somehow 'accidentally' find himself bumping into Alice at 'random' places, as if by coincidence," the report says.

Although the sensor has an on-off switch, Saponas said Nike's marketing language says that users can "just drop the sensor in their Nike+ shoes and forget about it."

The researchers also offered a variety of solutions.

A Nike spokesman declined to comment Thursday, saying he had just received the report. An Apple spokesman could not be reached for comment.

The researchers submitted their findings to both companies and then posted the report Thursday on a site linked to UW's Computer Science Department. It gained attention when Wired.com picked up the story.

Would the typical owner of the Nike+iPod Sport Kit even think of using it for devious purposes?

"It's hard to know," Saponas said, but what's obvious is the increasing use of devices utilizing Radio Frequency Identification, known as RFID, a method of storing and retrieving data on credit cards, certain clothing tags and other objects.

"This particular product is not necessarily going to endanger an individual, but as more and more products come out, it's going to be easier and easier to do things that the consumer does not know when they buy them," he said.

Jane Winn, co-director of the Shidler Center for Law, Commerce and Technology at the UW, underscored that point.

"It sounds like Apple and Nike are relying on 'security by obscurity' rather than a formal model of security," she said.